CVE-2026-56357
medium
CVSS v3
4.0
CVSS v4 NEW
6.3
VIR risk
4.0
Description
n8n: Webhook Forgery on Github Webhook Trigger
Predictions
Exploit likelihood
50%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc
- https://www.vulncheck.com/advisories/n8n-webhook-forgery-via-missing-hmac-sha256-signature-verification-in-github-webhook-trigger
- https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578
- https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36
- https://github.com/n8n-io/n8n
CWEs
CWE-290
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.